**** This Security Alert is brought to you by the Windows IT Security
channel on the Windows 2000 Magazine Network ****
http://www.win2000mag.net/Channels/Security
============================================================
Sponsored by VeriSign - The Internet Trust Company
============================================================
Secure all your Web servers now - with a proven 5-part strategy.
The FREE Server Security Guide shows you how:
* DEPLOY THE LATEST ENCRYPTION and authentication techniques
* DELIVER TRANSPARENT PROTECTION with the strongest security without
disrupting users. And more. Get your FREE Guide now:
http://www.verisign.com/cgi-bin/go.cgi?a=n061235180013000
============================================================
Security Alert, May 29, 2001
By embedding a macro in a template and providing another user with a
Rich Text Format (RTF) document that links to the template, an attacker
can cause macros to run automatically when the user opens the RTF
document. Microsoft has released an FAQ and a patch to remedy this
vulnerability.
An unchecked buffer vulnerability in the method Windows Media Player
(WMP) uses to process Active Stream Redirector (.asx) files can result
in a buffer overflow. An attacker can use the vulnerability to run code
on the vulnerable computer under the user's security context. Microsoft
has acknowledged this vulnerability and recommends that users of WMP 6.4
immediately apply the patch contained in Security Bulletin MS01-029. For
users of WMP 7.0, Microsoft recommends an upgrade to version 7.1.
Multiple vulnerabilities exist in eEye's SecureIIS 1.0.2. The first
vulnerability involves the keyword-checking feature: SecureIIS fails to
decode escaped characters in a request's query, which can lead to
information disclosure. The second involves a directory traversal
vulnerability that lets an attacker break out of the Web root directory.
The third vulnerability involves a buffer overrun condition caused by
the way SecureIIS processes HTTP header and large-character requests.
The vendor, eEye Digital Security, recommends that users upgrade to
version 1.0.5, which addresses these vulnerabilities.
For complete details about these vulnerabilities, including links to
patches and additional information, please visit the following URLs.
* Macros Can Run Without Warning under Microsoft Word
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21251
* Buffer Overflow Condition in Windows Media Player
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21252
* Multiple Vulnerabilities in eEye SecureIIS
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21250
Thank you for subscribing to Security UPDATE. Please tell your friends
about this newsletter and alert list!
Sincerely,
The Security UPDATE Team (securityat_private)
SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATEat_private
If you have questions or problems with your UPDATE subscription, please
contact securityupdateat_private
___________________________________________________________
Copyright 2001, Penton Media, Inc.
ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribeat_private